# Nmap 7.80 scan initiated Thu Mar 26 23:50:58 2020 as: nmap -A -oA nmap_full 10.10.10.176 Nmap scan report for 10.10.10.176 Host is up (0.031s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 f7:fc:57:99:f6:82:e0:03:d6:03:bc:09:43:01:55:b7 (RSA) | 256 a3:e5:d1:74:c4:8a:e8:c8:52:c7:17:83:4a:54:31:bd (ECDSA) |_ 256 e3:62:68:72:e2:c0:ae:46:67:3d:cb:46:bf:69:b9:6a (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: LIBRARY - Read | Learn | Have Fun No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=3/26%OT=22%CT=1%CU=39363%PV=Y%DS=2%DC=T%G=Y%TM=5E7D31E OS:7%P=x86_64-unknown-linux-gnu)SEQ(SP=105%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS= OS:A)OPS(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M5 OS:4DST11NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE8 OS:8)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S OS:+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q= OS:)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A% OS:A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y% OS:DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T= OS:40%CD=S)
Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 993/tcp) HOP RTT ADDRESS 1 30.66 ms 10.10.14.1 2 30.79 ms 10.10.10.176
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Mar 26 23:51:19 2020 -- 1 IP address (1 host up) scanned in 20.68 seconds
Only port 22 and 80, so we must start by attacking a web application.
if (document.location.search.match(/type=embed/gi)) { window.parent.postMessage("resize", "*"); } functionvalidateForm() { var x = document.forms["myForm"]["name"].value; var y = document.forms["myForm"]["email"].value; if (x == "") { alert("Please fill name field. Should not be more than 10 characters"); returnfalse; } if (y == "") { alert("Please fill email field. Should not be more than 20 characters"); returnfalse; } }
So the size of the fields are limited to:
name <= 10
email <= 20
If they put a limit client-side there is maybe a limitation server-side too.
We can try a SQL truncation.
The server will look if the email admin@book.htb noraj already exists,
of course it's not, so when creating our account the MySQL database will
will cut whatever is appended after 20 chars and remove spaces, so it will
end by updating the password of the already existing admin@book.htb.
On the Collections page http://book.htb/admin/collections.php we can download
a PDF all the users or all the books that seems dynamically generated.
Note: we can't exploit the XSS in the name because it is limited to 10 chars.
Also in the user interface there is a Collections page http://book.htb/collections.php
where any user can submit a new book.
So we could probably inject a XSS payload in the book title, that will be
embedded in the dynamically generated book collection PDF so we execute
JavaScript code in the context of the backend (maybe a bot or script using
phantom.js).
So we just have to use a simple XSS payload to server our local script.
With the code execution we can try to do a SSRF (Server Side Request Forgery)
with a XRH (XMLHttpRequest).
We can then make requests with the file:// pseudo-protocol to read local
files.
It takes several minutes before our book is added to the collection so we can
monitor at the search page (searching by author) when it is added
http://book.htb/search.php.
So we will able to exploit a vulnerability named logrotten, by writing in a
file rotated by logrorate we will be able to write a file in any location.
Since there is a backup folder right under our nose and an access.log file
we can write into that seems to be rotated, let's assume we can exploit this
vulnerability.
1 2 3 4
reader@book:~$ ls -lh backups/ total 4.0K -rw-r--r-- 1 reader reader 0 Jan 29 13:05 access.log -rw-r--r-- 1 reader reader 91 Jan 29 13:05 access.log.1
Since it's a race condition it may need several execution before working.
The log file and our payload file will be written into
/etc/bash_completition.d/ so next time root will log in it will execute our
payload (maybe a cron task).